Belgian DPA’s direct marketing recommendation: great first attempt, but questionable positions included. First thoughts:
[The BDPA has published a new direct marketing recommendation (replacing one of 5 years ago), and it’s a very good document. A public consultation is open until 10 May, and I hope some comments will deal with its shortcomings.]
– Claim that targeted advertising always involves the processing of personal data (p. 15-16): as readers know, I challenge this assumption in many scenarios. As always, if you don’t think you are processing personal data, *document it carefully* – and read up on my take on the Advocate General’s Opinion in the SRB case
– The BDPA quotes many of its decisions as examples, despite claiming in other situations that these are not precedents (+ without indicating whether there has been an appeal or if that appeal is pending)… so these decisions aren’t the absolute truth. Again: if you take a different view, *document it* and prepare to challenge the BDPA if questioned
– The BDPA suggests that the obligation to inform data subjects re purposes must allow a prima facie assessment of proportionality of the processing (!), so “direct marketing” is an insufficient label for a purpose (pp. 24-26). I am unconvinced, and it echoes the questionable idea that “informed” consent requires understanding the consequences of processing (EDPB’s Consent or Pay Opinion)
– On data retention, the BDPA states that “the frequency of obsolescence of [a product/service] whose sale is at the origin of the data collection can […] influence the assessment of the retention period” (pp. 27-28), a possible opening for services or products that lead to customer loyalty
– On data sources, the BDPA stresses its position that informing data subjects about the source of personal data (Art. 14 GDPR) covers more than the identity of the source but “all available information concerning the source”, including legal ground relied upon by the source, manner of collection by the source and contact details of the source (p. 58). I am unconvinced – it’s yet another position that begs the question “how much GDPR is too much GDPR?” and that puts an excessive burden on controllers.
– Similarly, on data brokers, the BDPA says that accountability implies a due diligence obligation, notably to “verify notably the origin of the data, control the manner in which they have been collected, on which legal ground, by whom, for which purposes, during which timeframe and for which processing activities” (p. 59)
– Then follows a reminder that data protection regulators presume that contracts are just paper, that parties lie and that they perform contracts in bad faith, as a clause requiring data protection law compliance for provision of data is insufficient (p. 59)
– Some ePrivacy considerations are there too, notably on jurisdiction. More on that in part III of my ePrivacy series
Originals:
FR: https://lnkd.in/ewKmpMfT
NL: https://lnkd.in/eT3C9rPh
Did this analysis get you thinking? Reach out!
DataLaws.net is entirely open-access, and instead of getting your data in exchange for this content, how about another trade? If this commentary saved you research time or sparked an idea, feel free to invite me over for tea, chai or a hot chocolate next time you are around Brussels or Antwerp - or invite me over to your offices for a chat!
Get in touch ↗ Let's connect on LinkedIn ↗